Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 - introspected token is not used for authorization OIDCOAuthIntrospectionClientAuthBearerToken is empty #377

Closed
skauffmann opened this issue Jul 30, 2018 · 4 comments
Closed

OAuth2 - introspected token is not used for authorization OIDCOAuthIntrospectionClientAuthBearerToken is empty #377

skauffmann opened this issue Jul 30, 2018 · 4 comments

Comments

@skauffmann
Copy link

According to the documentation mod_auth_openidc should used the introspected token when OIDCOAuthIntrospectionEndpointAuth is defined to "bearer_access_token" and OIDCOAuthIntrospectionClientAuthBearerToken is empty.

Apache configuration

OIDCOAuthClientID "xxx"
OIDCOAuthClientSecret "xxx"
OIDCOAuthIntrospectionEndpoint "https://xxxx/xxx/oauth/nam/tokeninfo"
OIDCOAuthIntrospectionEndpointAuth bearer_access_token
OIDCOAuthIntrospectionClientAuthBearerToken ""
OIDCOAuthIntrospectionEndpointMethod GET
OIDCOAuthRemoteUserClaim user_id

mod_auth_openidc logs

[Mon Jul 30 10:57:51.660280 2018] [authz_core:debug] [pid 3182932:tid 140341804001024] mod_authz_core.c(809): [client 138.21.146.122:44453] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Jul 30 10:57:51.660363 2018] [authz_core:debug] [pid 3182932:tid 140341804001024] mod_authz_core.c(809): [client 138.21.146.122:44453] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Jul 30 10:57:51.660398 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/mod_auth_openidc.c(3371): [client 138.21.146.122:44453] oidc_check_user_id: incoming request: "/xxx_PRO_INT3/OPX2/glpproint3.intra.xxx.fr:17100/?(null)", ap_is_initial_req(r)=1
[Mon Jul 30 10:57:51.660438 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/util.c(1162): [client 138.21.146.122:44453] oidc_util_request_matches_url: comparing "/xxx_PRO_INT3/OPX2/glpproint3.intra.xxx.fr:17100/"=="/xxx_PRO_INT3/OPX2/glpproint3.intra.xxx.fr:17100/"
[Mon Jul 30 10:57:51.660469 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/oauth.c(124): [client 138.21.146.122:44453] oidc_oauth_get_bearer_token: accept_token_in=0
[Mon Jul 30 10:57:51.660730 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/util.c(2200): [client 138.21.146.122:44453] oidc_util_hdr_in_get: Authorization=Bearer /wEBAAICACDTzOg@DHzKWFdPzYdbyYJKaI2T5qSvl8FqZ@kqKck0e3TdROECkdAyUqskyjNKu2BNHIahxQREdHAMiJI0YG/m9qYyGW9jQJYUDp7h4d1aiXAx34adtW96DemIcsZPhm79xEdJW709xAU0VRrjGD6uJLuippHVvGHh1Pv4Ne8ChN9Pz8ZIU6yeJ19Tl4rxSMevCn9ama@oGbFL5LAzveptRtuN3n2A4JaOWrSBtcog4@Ck668ZwsteAi46sjsdk3@yhm9cvkmAwgqwrMzfHHDLSUFJVt8RfsuHlyJL1mlD5PmGQWUg6BpN/ZstQ6w0rx8wmBttO2Yef1ku86zACFrPRXZCxy5XiVqyVzBp53HD2dhNScbhDrtjSQPurqzF4ErMZUfPY8H@wDA/7uP7mzvJkrIFKVGMNHcl3nWhxa5uBvycMOkgMmdeM1nQs7PsJHU~
[Mon Jul 30 10:57:51.660757 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/oauth.c(136): [client 138.21.146.122:44453] oidc_oauth_get_bearer_token: authorization header found
[Mon Jul 30 10:57:51.660769 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/oauth.c(216): [client 138.21.146.122:44453] oidc_oauth_get_bearer_token: bearer token: /wEBAAICACDTzOg@DHzKWFdPzYdbyYJKaI2T5qSvl8FqZ@kqKck0e3TdROECkdAyUqskyjNKu2BNHIahxQREdHAMiJI0YG/m9qYyGW9jQJYUDp7h4d1aiXAx34adtW96DemIcsZPhm79xEdJW709xAU0VRrjGD6uJLuippHVvGHh1Pv4Ne8ChN9Pz8ZIU6yeJ19Tl4rxSMevCn9ama@oGbFL5LAzveptRtuN3n2A4JaOWrSBtcog4@Ck668ZwsteAi46sjsdk3@yhm9cvkmAwgqwrMzfHHDLSUFJVt8RfsuHlyJL1mlD5PmGQWUg6BpN/ZstQ6w0rx8wmBttO2Yef1ku86zACFrPRXZCxy5XiVqyVzBp53HD2dhNScbhDrtjSQPurqzF4ErMZUfPY8H@wDA/7uP7mzvJkrIFKVGMNHcl3nWhxa5uBvycMOkgMmdeM1nQs7PsJHU~
[Mon Jul 30 10:57:51.660787 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/cache/common.c(567): [client 138.21.146.122:44453] oidc_cache_get: enter: /wEBAAICACDTzOg@DHzKWFdPzYdbyYJKaI2T5qSvl8FqZ@kqKck0e3TdROECkdAyUqskyjNKu2BNHIahxQREdHAMiJI0YG/m9qYyGW9jQJYUDp7h4d1aiXAx34adtW96DemIcsZPhm79xEdJW709xAU0VRrjGD6uJLuippHVvGHh1Pv4Ne8ChN9Pz8ZIU6yeJ19Tl4rxSMevCn9ama@oGbFL5LAzveptRtuN3n2A4JaOWrSBtcog4@Ck668ZwsteAi46sjsdk3@yhm9cvkmAwgqwrMzfHHDLSUFJVt8RfsuHlyJL1mlD5PmGQWUg6BpN/ZstQ6w0rx8wmBttO2Yef1ku86zACFrPRXZCxy5XiVqyVzBp53HD2dhNScbhDrtjSQPurqzF4ErMZUfPY8H@wDA/7uP7mzvJkrIFKVGMNHcl3nWhxa5uBvycMOkgMmdeM1nQs7PsJHU~ (section=a, decrypt=0, type=shm)
[Mon Jul 30 10:57:51.662050 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/cache/common.c(603): [client 138.21.146.122:44453] oidc_cache_get: cache miss from shm cache backend for key /wEBAAICACDTzOg@DHzKWFdPzYdbyYJKaI2T5qSvl8FqZ@kqKck0e3TdROECkdAyUqskyjNKu2BNHIahxQREdHAMiJI0YG/m9qYyGW9jQJYUDp7h4d1aiXAx34adtW96DemIcsZPhm79xEdJW709xAU0VRrjGD6uJLuippHVvGHh1Pv4Ne8ChN9Pz8ZIU6yeJ19Tl4rxSMevCn9ama@oGbFL5LAzveptRtuN3n2A4JaOWrSBtcog4@Ck668ZwsteAi46sjsdk3@yhm9cvkmAwgqwrMzfHHDLSUFJVt8RfsuHlyJL1mlD5PmGQWUg6BpN/ZstQ6w0rx8wmBttO2Yef1ku86zACFrPRXZCxy5XiVqyVzBp53HD2dhNScbhDrtjSQPurqzF4ErMZUfPY8H@wDA/7uP7mzvJkrIFKVGMNHcl3nWhxa5uBvycMOkgMmdeM1nQs7PsJHU~
[Mon Jul 30 10:57:51.662076 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/oauth.c(67): [client 138.21.146.122:44453] oidc_oauth_validate_access_token: enter
[Mon Jul 30 10:57:51.662094 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/proto.c(1870): [client 138.21.146.122:44453] oidc_proto_token_endpoint_auth: token_endpoint_auth=bearer_access_token
[Mon Jul 30 10:57:51.662118 2018] [auth_openidc:error] [pid 3182932:tid 140341804001024] [client 138.21.146.122:44453] oidc_proto_endpoint_access_token_bearer: endpoint auth method set to bearer access token but no token is provided
[Mon Jul 30 10:57:51.662132 2018] [auth_openidc:error] [pid 3182932:tid 140341804001024] [client 138.21.146.122:44453] oidc_oauth_resolve_access_token: could not get a validation response from the Authorization server
[Mon Jul 30 10:57:51.662147 2018] [auth_openidc:debug] [pid 3182932:tid 140341804001024] src/util.c(2254): [client 138.21.146.122:44453] oidc_util_hdr_err_out_add: WWW-Authenticate: Bearer error="invalid_token", error_description="Reference token could not be introspected"

For testing I have defined the OIDCOAuthIntrospectionClientAuthBearerToken with the access_token and the connection has been authentificated...
@zandbelt
Copy link
Member

That seems to be a typo/bug that should be solved with:

diff --git a/src/oauth.c b/src/oauth.c
index 71498ce..a56b43c 100644
--- a/src/oauth.c
+++ b/src/oauth.c
@@ -163,8 +163,7 @@
 			((c->oauth.introspection_client_auth_bearer_token != NULL)
 					&& strcmp(c->oauth.introspection_client_auth_bearer_token,
 							"") == 0) ?
-									apr_table_get(params, token) :
-									c->oauth.introspection_client_auth_bearer_token;
+									token : c->oauth.introspection_client_auth_bearer_token;
 
 	/* add the token endpoint authentication credentials */
 	if (oidc_proto_token_endpoint_auth(r, c,

would you be able to test/verify/confirm that fix somehow?

@skauffmann
Copy link
Author

Thank you for this quick reply. And I confirm the patch fix the issue !

@al2rex
Copy link

al2rex commented Nov 26, 2018

I presented the same error, how to fix this ?

@zandbelt
Copy link
Member

use 2.3.8 or later

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@skauffmann @zandbelt @al2rex